From Boardroom to Operations

Aligning business security strategy from top to bottom

Garry Sidaway, NTT Com Security

From boardroom to operations, every individual at every level of an organization must understand their true exposure to risk if they are expected to contribute to informed decisions that assure continuous risk management that protects their business.

The time has passed when an IT manager equipped with security point-products could be handed sole responsibility for business integrity. Today, robust information security and effective risk management demands buy-in at every level of the modern enterprise. Senior management can help instil a culture of information security, but actually knowledgeable deployment and use of security technology should form the foundation of every department. Technology in all forms now has an unprecedented impact on every facet of business, so it is vital that IT specialists, administrators, executives and senior management are all aware of the bigger organizational picture. They each need to be given the insights necessary to allow them to be part of an engaged team that can be consulted for perspectives ahead of strategic decisions.

Frontline operational staff and those who sit in the boardroom inevitably focus on different objectives. Board-level decisions are made based on business agility, whereas operational teams are generally more interested in cost-efficiency, and modern IT teams are preoccupied with business continuity and point security solutions. So IT security, as with business generally, will always experience some tradeoffs. Focusing too much spend on security will have an adverse impact on business productivity and may cut into business profit. But without aligning broad business strategy with security, valuable resources will be expended unnecessarily and systems left vulnerable to external threats.

It is vital to align security strategy with business objectives from top to bottom, while encouraging best practice from the board, to management and operational staff. Organizations must gain a complete understanding of what the business challenges are before they are able to put risk into the correct context. Only then can they make informed decisions about where investments should be made to reduce the risk to the business, identify risks, optimize the use of available resources, align risk management with commercial goals and achieve regulatory compliance. Management and operational staff must come together to make objective decisions about how much security is appropriate to protect the business. By embedding effective information security that supports rather than constrains business, organizations can operate more effectively in the current threat landscape, make clear informed decisions about risk, and deliver a balance between business security and agility that helps a business work without constraints.

Last year Robert Plant, an associate professor of computer information systems at the University of Miami School of Business Administration, wrote an article for Harvard Business review in which he asserted that executives must understand four basic points about IT security: a well-executed data breech is potentially more dangerous to a business than a recession; cybercrime isn’t someone else’s problem, it’s their problem; just because C-suite peers at other firms don’t talk about security breaches doesn’t mean they’re not happening; and finally, execs probably don’t understand where their data is, so now is a good time to check the detail in those third-party SLAs.

This highlights that security is everyone’s responsibility. Managing information security is a challenge from boardroom to frontline operations, but attitudes and actions from the board to the front-line are more productive in every aspect within a truly cohesive organization. It’s crucial to convince everyone from the CEO to the newest recruit to align with security policies. But it’s also essential to put risk into context, and select appropriate technologies that secure unique business environments. For many businesses today, partnering with a trusted advisor provides invaluable perspective and objectivity.